866.254.0000
Contact Us
Services
Services
View All Services
SOC & Attestations
SOC & Attestations
SOC 1 / SSAE 18 Examination
SOC 2 Examination
SOC 3 Examination
SOC for Supply Chain
SOC for Cybersecurity
SOC Essentials for Early-Stage Companies
C5 Attestation
CSA STAR Programs
Payment Card Assessments
Payment Card Assessments
PCI DSS Validation
PCI SSF
PCI P2PE Validation
PCI PIN Assessments
PCI 3DS Compliance
ISO Certifications
ISO Certifications
ISO 27001
ISO 42001
ISO 27701
ISO 9001
ISO 22301
ISO-20000-1
Privacy Assessments
Privacy Assessments
APEC Certification
GDPR Assessment
International Privacy Assessments
US State Privacy Assessments
Microsoft SSPA/DPR Assessment
Privacy Program Assessment
FERPA Assessment
EU Cloud Code of Conduct
Federal Assessments
Federal Assessments
FedRAMP®
CMMC / NIST SP 800-171
FISMA/NIST
ITAR
CJIS
IRAP
FTC Consent Decrees
DoD IL6
Healthcare Assessments
Healthcare Assessments
HITRUST Certification
HIPAA Compliance
HIPAA Express
EPCS-DEA Audits
Health Data Host (HDS) Certification
Penetration Testing
Penetration Testing
Application
Network
Mobile
Red Teaming
Social Engineering
Cloud
Physical
Hardware and IoT
Advanced Series
AI Red Teaming
Cybersecurity Assessments
Cybersecurity Assessments
Cloud Configuration Assessments
Ransomware Assessments
NIST Cybersecurity Framework Assessments
Schellman Software Security Assessment (S3A)
TISAX®
SWIFT Customer Security Programme
Internal Audit Co-Sourcing
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
Sustainability Services
Sustainability Services
AI Services
AI Services
Learning Center
Our Technology
About Us
About Us
About Us
Leadership Team
Leadership Team
Corporate Social Responsibility
Corporate Social Responsibility
Careers
Careers
Strategic Partnerships
Strategic Partnerships
ISO Certificate Directory
Contact Us

«  View All Posts

Bridging Compliance: Where SOC 2 and C5 Overlap and How to Leverage Both Blog Feature
Nate Kocan

By: Nate Kocan

Print/Save as PDF

Bridging Compliance: Where SOC 2 and C5 Overlap and How to Leverage Both

Cybersecurity Assessments | Cloud Computing | SOC Examinations | SOC 2

Published: Apr 29, 2025

As cloud services continue to expand globally, service providers are increasingly expected to demonstrate compliance with a variety of frameworks depending on where their customers operate. Two commonly requested assurance reports include the American Institute of Certified Public Accountants (AICPA) SOC 2 attestation report and the German Federal Office for Information Security (Bundesmat fur Sicherheit in der Informationstechnik, or “BSI”) Cloud Computing Compliance Criteria Catalogue (C5) attestation report.

As organizations expand their cloud operations and customer bases, the growing need to address and navigate both frameworks is becoming more prevalent. Fortunately, SOC 2 and C5 share many common elements, and a streamlined approach can reduce redundancy, effort, and cost. In this article, we’ll explore how these two standards overlap with each other and the benefits of pursuing both, as well as provide practical guidance for approaching the frameworks efficiently. 

What is a SOC 2 Report? 

A SOC 2 report is an attestation report created by AICPA to evaluate the effectiveness of internal controls relevant to data security. It is most commonly pursued by service organizations who want to demonstrate their commitment to protecting the sensitive customer data they handle throughout their business operations.  

SOC 2 reports are based on the Trust Services Criteria (TSC), which include: 

  • Security (required) 
  • Availability 
  • Processing Integrity 
  • Confidentiality 
  • Privacy 

Service organizations can select which of these categories to include in their report based on their service commitments and customer expectations.  

 There are two types of SOC 2 reports offered: 

  • Type 1 assesses the design of controls at a point in time.
  • Type 2 evaluates the operating effectiveness of those controls over a defined period (typically 6–12 months).

The process includes a readiness assessment (which is optional), evidence collection, control testing by an independent CPA firm, and formal reporting. 

Organizations who benefit from a SOC 2 report are those which store, process, or transmit customer data, which includes cloud providers, managed service providers, fintech companies, health tech platforms, and more.  A SOC 2 report is often required during vendor due diligence and can be a differentiator in competitive markets. 

What is a C5 Report?  

The C5 is a framework developed by the BSI in Germany. It is specifically designed for cloud service providers (CSPs) and focuses on cloud-specific security requirements aligned with German and EU regulatory expectations. 

C5 is a control framework which organizations can be audited against. It includes 17 categories with more than 100 controls spanning the following key areas: 

  • Organization of information security 
  • Physical and environmental security 
  • Operational and technical measures 
  • Incident and risk management 
  • Compliance with legal and regulatory requirements 

C5 comes in two types: 

  • Type 1 assesses the design of controls at a point in time.
  • Type 2 evaluates the operating effectiveness of those controls over a defined period.  Beginning in July 2025, CSP’s are required to have a Type 2 assessment, and a Type 1 assessment will no longer be sufficient. 

Audits are typically performed by an accredited independent third party, such as a CPA or IT audit firm, and result in a report that outlines the implementation and effectiveness of the C5 controls. Organizations who pursue a C5 report generally serve customers in the EU and need to demonstrate alignment with local expectations around data sovereignty, transparency, and security. 

SOC 2 and C5 Reports: Key Areas of Overlap 

Although SOC 2 and C5 originate from different governing bodies and geographic regions, they target many of the same core risks and control areas. Key areas of alignment include: 

  • Access Control: Both require strict access management, including authentication, authorization, and regular access reviews. 
  • Security Monitoring and Logging: Both emphasize the need for continuous monitoring, log collection, and analysis to detect and respond to incidents. 
  • Risk Management: Both call for formal risk assessments and risk mitigation processes. 
  • Incident Response: Both call for documented incident response plans and incident management procedures. 
  • System Change Management: Both require controls around system development, updates, and configuration changes. 

While the language and structure may differ slightly, the intent behind many of the controls is the same.  

Why Pursue Both SOC 2 and C5 Reports? 

Organizations who are already established or are expanding into both U.S. and European markets find that having both a SOC 2 and C5 report helps them better meet customer expectations and helps reduce friction in the sales and procurement process. These frameworks share many common goals including protecting customer data, demonstrating internal control maturity, and supporting regulatory compliance. Together, they form a complementary assurance package that shows your organization is committed to data protection on a global scale.  

Key benefits of pursing both reports include: 

  • Marketability Across Regions: Holding both reports removes barriers during vendor onboarding and RFP processes. 
  • Increased Customer Trust and Confidence: Prospects and existing clients gain assurance that your organization is independently verified to be operating securely and responsibly across borders. 
  • Enhanced Competitive Edge: Demonstrating compliance with two respected frameworks positions your organization as a leader in security and transparency, helping you stand out in crowded markets. 
  • Audit Synergy: Many SOC 2 and C5 control requirements overlap. When planned strategically, these assessments can be coordinated to reduce redundancy, saving time and internal resources.
  • Security: Undergoing both assessments demonstrates an organization’s commitment to security and helps to establish a mature internal control environment.

Pursuing both a SOC 2 and C5 attestation report strengthens your overall security standing and allows your organization to demonstrate its commitment to high security and compliance standards. This gives you an undeniable competitive advantage across international markets. In addition to the numerous benefits of pursuing both reports, there are advantages to consolidating compliance efforts by taking measures to leverage both frameworks efficiently throughout the attestation process.

Leveraging Both Frameworks Efficiently 

Given the many areas of overlap between SOC 2 and C5 attestation reports, there are ample opportunities to consolidate compliance initiatives. To streamline both SOC 2 and C5 without duplicating efforts, organizations can:   

  1. Map Controls Across Frameworks: Create a unified control matrix that aligns each control activity to both the SOC 2 TSC and the C5 requirements. 
  2. Map Evidence Across Frameworks: After identifying the controls that map across frameworks, map what requests can be used to satisfy the requirement for each audit.  
  3. Use a Single Assessor: Engaging with a firm that can perform both assessments can reduce time and effort through shared walkthroughs, testing, and reporting. 
  4. Plan Assessments Together: Align audit timelines so evidence can be reused, and team resources can be managed efficiently. 

By leveraging both frameworks efficiently and consolidating compliance efforts, organizations can save valuable time and resources without disrupting daily operations.  

The Road Ahead in Your SOC 2 and C5 Compliance Journey 

As organizations continue to expand globally and operate in multiple jurisdictions, the ability to efficiently comply with multiple frameworks like SOC 2 and C5 will be of paramount importance. These two frameworks, while different in their structure and regional focus, share a strong foundation in risk and security management. 

By understanding how they overlap and planning strategically, organizations can reduce audit fatigue, streamline compliance, and build greater trust with customers worldwide. If you’re ready to begin your SOC 2 Compliance Examination or C5 Attestation journey or have any additional questions about the requirements or process, Schellman can help. Contact us today and we’ll get back to you shortly.  

In the meantime, discover other helpful SOC 2 and C5 insights in these additional resources:  

About Nate Kocan

Nate Kocan is a Manager within SOC Services practice of Schellman, based in Columbus, OH. Prior to joining Schellman, Nate specialized in SOC 1 audits and IT audits supporting financial statement audits. As a Manager with Schellman, Nate Kocan has over six years of experience compromised of serving clients in various industries, including cloud computing and data centers, financial services and fintech, and healthcare. Nate is focused primarily on SOC, HIPAA, and various attestation audits for organizations across various industries.

4010 W Boy Scout Boulevard
Suite 600
Tampa, FL 33607

U.S. 1.866.254.0000

Outside the U.S.
1.813.288.8833

Resources
Company
Stay Up-to-Date

Sign up to receive Schellman's Weekly Read delivered every Friday morning.

© SchellmanPrivacy PolicyTerms of Use

“Schellman” is the brand name under which Schellman & Company, LLC and Schellman Compliance, LLC provide professional services. Schellman & Company, LLC and Schellman Compliance, LLC practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Schellman & Company, LLC is a licensed certified public accounting firm (Florida license number AD62941) registered with the Public Company Accounting Oversight Board (PCAOB) that provides attest services to its clients, and Schellman Compliance, LLC provides nonattest cybersecurity and compliance professional services to its clients. Schellman Compliance, LLC is not a licensed CPA firm. Schellman & Company, LLC and Schellman Compliance, LLC are independently owned and are not liable for the services provided by any other entity providing services under the Schellman brand. Our use of the terms “our firm” and “we” and “us” and terms of similar import, denote the alternative practice structure conducted by Schellman & Company, LLC and Schellman Compliance, LLC.